System, device, method and software for providing a visitor access to a public network

ABSTRACT

A system, device, method and software for providing a visitor access to a public network are disclosed. In one form, a virtual visitor enabled local area network includes a visitor access point operable to provide a visitor access to a public network while connected to a local area network (LAN). The visitor access point is operable to protect the LAN using a virtual visitor network established between the visitor access point and a virtual visitor network gateway.

FIELD OF THE DISCLOSURE

The disclosure relates generally to local area networking, and moreparticularly to a system, device, method and software for providing avisitor access to a public network.

BACKGROUND

Most enterprises do not allow visitors to access their private localarea networks (LANs) due to security concerns creating difficult workenvironments when visitors need to access the Internet or remote accessaccounts via public networks. The primary reason enterprise networkmanagers limit access is to protect their network, servers, systems,etc. from direct or indirect malignant attacks. As such, a visitor'sproductivity can be significantly affected if a visitor cannot accessthe Internet while visiting an enterprise. For example, consultants maynot be able to efficiently advise their clients without having access toa public network while they are working with clients.

Currently, some conventional solutions are available including creatingvisitor accounts to provide a visitor access public access withsignificantly limiting access to the private LAN. Though effective, thisusually requires client and server synchronized software to provideaccess and management of user names, passwords, access levels, etc. Sucharrangements may be functional but leave a network vulnerable to outsideattacks when a user accesses a public network and provides forcontinuous management and monitoring of network accounts. As such, thereis a need for enterprises to provide visitors access to a public networkfrom within their local area network without compromising the securityof their own network or having to maintain user accounts, passwords,custom software, etc.

SUMMARY OF THE INVENTION

According to one aspect of the invention, a virtual visitor enabledlocal area net work includes a visitor access point operable to providea visitor access to a public network while connected to a local areanetwork (LAN). The visitor access point is operable to protect the LANusing a virtual visitor network established between the visitor accesspoint and a virtual visitor network gateway.

According to another aspect of the invention, a device for providingvisitor access to a public network via a private local area network isprovided. The device includes a visitor access port operable to enable avisitor to access a public network from within a private local areanetwork (LAN) while protecting the private LAN from the visitor. Thedevice further includes a communication interface operably coupled tothe visitor access port and the private LAN and the communicationinterface is operable to communicate information between the visitoraccess port and a selective location within the private LAN.

According to a further aspect of the invention, a network enabledgateway operable to provide a visitor access to a public network fromwithin a private local area network (LAN) is disclosed. The gatewayincludes a public network access interface operable to communicateprocessed virtual visitor network data packets to a public network thatoriginate from within a private local area network (LAN). The gatewayfurther includes a virtual network processor operable to process publicnetwork access data packets to provide virtual visitor network datapackets for communication within the private LAN to provide a visitoraccess to the public network.

BRIEF DESCRIPTION OF THE DRAWINGS

Other advantages, features and characteristics of the invention, as wellas methods, operation and functions of related elements of structure,and the combinations of parts and economies of manufacture, will becomeapparent upon consideration of the following description and claims withreference to the accompanying drawings, all of which form a part of thespecification, wherein like reference numerals designate correspondingparts in the various figures, and wherein:

FIG. 1 illustrates a functional block diagram of a local area networkincorporating a visitor access point according to one embodiment of theinvention;

FIG. 2 illustrates a functional block diagram of a virtual visitornetwork (VVN) operable to provide a visitor access to a public networkvia a private local area network according to one embodiment of theinvention;

FIG. 3A illustrates a functional block diagram of a virtual visitornetwork module for providing a user access to a public network via aprivate local area network according to one embodiment of the invention;

FIG. 3B illustrates a functional block diagram of a wireless enabledvirtual visitor network module for providing a user access to a publicnetwork via a private local area network according to one embodiment ofthe invention;

FIG. 4 illustrates a functional block diagram of a virtual visitornetwork gateway according to one embodiment of the invention;

FIG. 5 illustrates a flow diagram of a method for processing datapackets using a virtual visitor network module according to oneembodiment of the invention;

FIG. 6 illustrates a functional block diagram for encapsulating visitordata packets within a private local area network according to oneembodiment of the invention;

FIG. 7 illustrates a functional block diagram of network traffic withina private local area network having an access point for a visitor and anemployee according to one embodiment of the invention;

FIG. 8 illustrates a functional block diagram of network for providingvisitors and employees access to a public network using a wireless localarea network according to one embodiment of the invention;

FIG. 9 illustrates a functional block diagram of a network employingwire line and wireless virtual visitor access points incorporated withinan Ethernet based private local area network according to one embodimentof the invention;

FIG. 10 illustrates a flow diagram of a method for processing datapackets using a virtual visitor network gateway according to oneembodiment of the invention;

FIG. 11 illustrates a functional block diagram of an enterprise networkincorporating a virtual visitor network employing a wireless privatelocal area network according to one embodiment of the invention;

FIG. 12 illustrates a functional block diagram of a virtual networkgateway operable to provide a virtual private network in the publicnetwork and a virtual visitor net work within a private local areanetwork according to one embodiment of the invention;

FIG. 13 illustrates a functional block diagram of a virtual networkserver for use in association with providing a visitor access to apublic network from within a virtual private network enabled privatelocal area network according to one embodiment of the invention;

FIG. 14 illustrates a functional block diagram of a virtual visitornetwork incorporated within a multi-protocol label switching enabledlocal area network according to one embodiment of the invention; and

FIG. 15 illustrates a functional block diagram of a single point virtualvisitor network module operable to provide a visitor access to a publicnetwork from within a private local area network according to oneembodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 illustrates a functional block diagram of a local area networkincorporating a visitor access point according to one embodiment of theinvention. A local area network (LAN) 102 includes at least one visitoraccess point 101 provided within local area network (LAN) 102 andoperable to allow a user to access a public network 103 such as theInternet. Local area network 102 may include any type of networkincluding, but not limited to, an Ethernet, ring network, token ringnetwork, star network, bus network, asynchronous network, and the like.

Visitor access point 101 allows for a visitor that would normally nothave access to LAN 102 to access public network 103 when connected toLAN 102. For example, a visitor may couple a computer system (notexpressly shown) to visitor access point 101 and may require accessingpublic network 103. Visitor access point 101 advantageously allows forprotection of LAN 102 while a user accesses public network 103 throughencapsulating data packets communicated via visitor access point 101 andLAN 102. In this manner, other network locations or nodes within LAN 102(not expressly shown) may be isolated from inquiries, data requests,snooping, malignant attacks, etc. initiated by a visitor or other agentwhen a visitor connects to LAN via visitor access point 101.

FIG. 2 illustrates a functional block diagram of a virtual visitornetwork (VVN) operable to provide a visitor access to a public networkvia a private local area network according to one embodiment of theinvention. A private local area network, illustrated generally at 200,includes a visitor (visitor's computer) 201 communicatively coupled toprivate LAN 200 via a virtual visitor network (VVN) module 202 operableto allow a visitor to access a public network 206 via virtual visitornetwork (VVN) gateway 208. A virtual visitor network (VVN) 207 includesa virtual network provided within private LAN 200, which facilitatesvisitor 201 accessing public network 206. Private LAN 200 furtherincludes one or more employee 209 LAN access point(s) 203 providing auser, such as an employee and guest having sufficient access rights,access to private LAN 200 and one or more private LAN node(s) 204coupling one or more types of network devices such as servers, printers,fax machines, copiers, data storage devices, or any other type ofequipment or device that may be coupled to a local area network. Thepublic network gateway 205 may include a router, a firewall, and/or anetwork address translator (NAT) to process traffic between the privateLAN 200 and the public network 206. VVN 207 confines packetscommunicated between visitor 201 and public network 206 to VVN 207. VVNgateway 208 typically does not handle traffic communicated betweenpublic network 206 and an employee 209. In one embodiment, private localarea net work node(s) 204 may include other user or employee systemsthat may be accessed or networked together. For example, a user coupledto private LAN 200 via a valid user LAN access point 203 may accessanother user's system via a private LAN node 204.

During operation, visitor 201 may access public network 206 throughconnecting to a VVN module 202. VVN module 202 detects that visitor 201is attempting to access network and initiates a process to isolatevisitor 201 from private LAN 200 while all owing visitor 201 to accessonly public network 206. For example, VVN module 202 processes datapackets initiated by a visitor's computer system 201 coupled to VVNmodule 202 such that other locations within private LAN 200 ignore anyunauthorized data or access requests to one or more locations withinprivate LAN 200. VVN gateway 208 identifies data packets communicated byVVN module 202 and as data packets are communicated by VVN module 202,VVN gateway 208 receives the data packets and processes the data packetsprior to communicating the data packets to public network 206. Forexample, VVN gateway 208 modifies header information within the datapackets to include a source address of VVN gateway 208. As data packetsare received from public network 206 in response to data packetscommunicated by VVN gateway 208, VVN gateway 208 processes the datapacket to provide a destination or IP address of VVN module 202 andcommunicates the data packet to VVN module 202 using private LAN 200. Assuch, each packet is processed to encapsulate or isolate all othernetwork locations within private LAN 200 from the visitor 201 requesteddata and communicated only to visitor 201 allowing a visitor 201 toaccess a public network 206, such as the Internet, from within a privatelocal area network without compromising security of a private local areanetwork or having to manage or create visitor/user access accounts withlimited access to network locations within a local area network. In oneembodiment, VVN gateway 208 and the public network gateway 205 may beintegrated into a single server or system operable to provide accessingto public network 206.

In another embodiment, VVN module 202 may be used to allow an employeeto access public network 206 via VVN gateway 208. In this manner, anemployee that may not be able to access a private LAN node(s) 204 or anemployee LAN access point(s) 203 may access only public network 206 viavirtual visitor network 207 when connected to VVN module 202.

FIG. 3A illustrates a functional block diagram of a virtual visitornetwork module for providing a user access to a public network via aprivate local area network according to one embodiment of the invention.A virtual visitor network module (VVN), illustrated generally as VVNmodule 300, includes an network interface 306 operable to couple VVNmodule 300 to a private LAN 307 such as an Ethernet network via a wireline connection such as through copper connections, cable or coaxialbased connections, fiber optic connections, etc. VVN module 300 includesa network address translator (NAT) 305 operable to resolve addressescontained within data packets and a DHCP server 303 operable to assigndynamic IP addresses to visitor computers (not expressly shown). Arouter 302 and network switch 301 provide for routing of information tovarious wire line visitor access points 308 for one or more visitorsconnecting to private LAN 307. Router 302 enables connection or couplingof two or more networks and functions as a sorter and interpreter as itresolves addresses and passes data streams or packets to a properdestination. Network switch 301 may include a switch (e.g., Ethernetswitch) operable to provide dedicated bandwidth or a hub operable toprovide shared bandwidth to visitor access points 308. If network switch301 includes a hub, visitor access points 308 only share bandwidthbetween access points without sharing bandwidth with other non-visitoraccess points that may be connected to network switch 301. Thoughnetwork interface 306 is illustrated as a single access point operableto provide access to private LAN 307, it should be understood that VVNmodule 300 may configured to accommodate more than one network addresswithin private LAN 307. VVN module 300 further includes a virtualvisitor network (VVN) processor 304 operable to process data packetscommunicated by one or more systems coupled to visitor access points 308and desiring access to a public network, such as the Internet, viaprivate LAN 307.

During operation, VVN module 300 dynamically assigns a network IPaddress when a visitor connects to visitor access points 308 andperforms a network address translation using NAT 305 when data iscommunicated using the assigned IP addresses. VVN processor 304processes data communicated between private LAN 307 and visitor accesspoint(s) 308 to add and remove data packet header information for datapackets and provide a unique network IP address that identifies avisitor when connected to one of visitor access point(s) 308. VVNprocessor 304 encapsulates data communicated via visitor access points308 through isolating data packets to select or specific network addresses within private LAN 307. For example, VVN processor 304 mayprovide a network destination address for only a network gateway (notexpressly shown) provided within or in association with private LAN 307that allows for access to a public network. In this manner, no otherlocations or network addresses within private LAN 307 may be accessed bya computer system connected to one of visitor access point(s) 308. Asincoming data packets are communicated from private LAN 307 and receivedby network interface 306, network address translator 305 translates theaddress information for the data packets and VVN processor 304 verifiesheading information and detects if data packets having IP addresses fora visitor coupled to one of visitor access point(s) 308 have beenreceived. If a visitor's data packet has been received, VVN processor304 restore the information and router 302 and network switch 301processes and communicates the data packet to the appropriate visitorconnected to a visitor access point 308.

In one embodiment, VVN module 300 may allow a visitor to use a networkprinter (not expressly shown) accessible by VVN module 300. For example,a network printer may be coupled directly to VVN module 300 and VVNmodule 300 may include a print server (not expressly show) and a networkprinter connected to VVN module 300 via, for example, one of visitoraccess point(s) 308. In another embodiment, a network printer may beaccessed by a visitor coupled to one of visitor access point(s) viaprivate LAN 307. For example, VVN module 300 may include a print serverhaving network IP addresses for one or more network printers and mayallow for access to a printer internal to private LAN 307 without usinga print server (not expressly shown) located within private LAN 307. Inthis manner, visitor originated data may be selectively communicated toa specific destination or IP address within private LAN 307 withoutjeopardizing network security and allowing a visitor to print adocument.

FIG. 3B illustrates a functional block diagram of a wireless enabledvirtual visitor access module for providing a user access to a publicnetwork via a private local are a network according to one embodiment ofthe invention. A wireless virtual visitor net work module, illustratedgenerally as wireless VVN module 310, includes an wireless networkinterface 316 operable to couple wireless VVN module 310 to a privateLAN 317 such as an Ethernet network via a wireless connection operableto communicated via wireless communication such as an 802.11-enabledwireless communication protocol including, but not limited to 802.11a,g, orb. Other types of wireless communication such as infrared lasercommunication, mobile or cellular wireless communication, near fieldcommunication and the like may also be employed.

Wireless VVN module 310 includes a network address translator (NAT) 315operable to translate addresses contained within data packets and a DHCPserver 313 operable to assign dynamic IP addresses to visitor computerswirelessly coupled to wireless VVN module 310 via wireless visitoraccess point(s) 318. A router 312 and wireless hub transceiver 311provide for routing of information to and from wireless visitorcomputers connected via wireless visitor access point(s) 318 and furtherconnected to private LAN 317. Though illustrated as a single accesspoint to private LAN 317, it should be understood that wireless VVNmodule 310 may configured to accommodate more than one network addresswithin private LAN 317. Wireless VVN module 310 further includes avirtual visitor network (VVN) processor 314 operable to process datapackets communicated from one or more systems coupled to wirelessvisitor access point(s) 318 and a VVN server (not expressly shown) anddesiring access to a public network, such as the Internet, via privateLAN 317.

During operation, a user may access private LAN 317 using awireless-enabled computer system operable to connect to wireless visitoraccess point(s) 318. For example, wireless VVN module 310 may be placedproximal to a conference room, visitor center, etc. which may befrequently used by visitors. VVN module 310 being wirelessly coupled toprivate LAN 317 allows for flexible placement of VVN module 310 invarious locations such that VVN module 310 may be operational without auser having to physically access wireless VVN module 310. However, inother embodiments, wireless VVN module 310 may include one or more wireline connection ports or visitor access point allowing a user to connectdirectly to wireless VVN module 310.

Wireless VVN module 310 further allows for visitor's to have flexibilityin being untethered to wireless VVN module 310. A visitor may accesswireless VVN module 310 through performing a search on availablewireless networks and, upon identifying a wireless signal or wirelessvisitor access point 318 communicated by wireless hub transceiver 311, auser may elect to connect to wireless VVN module 310 to access privateLAN 317.

FIG. 4 illustrates a functional block diagram of a virtual visitornetwork gateway according to one embodiment of the invention. A virtualvisitor network (VVN) gateway, illustrated generally at 400, includes anetwork interface 401 such as a Ethernet module operable to connect to aprivate LAN 407, a public network interface 406 operable to communicatewith a public network 403 such as the Internet. VVN gateway 400 furtherincludes a VVN processor 404, a router 402 and a network addresstranslator (NAT) 405. VVN processor 404 is operably associated with oneor more virtual visitor network modules having virtual visitor networkprocessors to process data packets communicated by a virtual visitornetwork provided within private LAN 407. NAT 405 is used to bridgemultiple VVN modules using a relatively small number of IP addresses inpublic network 407. Router 402 routes data packets in a public network403 such as the Internet.

During operation, VVN gateway 400 provides a visitor access to a publicnetwork 403 via a private LAN 407 and manages communication of databetween private LAN 407 and public network 403. As data packets arecommunicated from a VVN module located within private LAN 407, VVNgateway 400 receives data packets via LAN network interface 401 andtranslates data packets to determine if the data packets werecommunicated from a VVN module. If a data packet was communicated from aVVN module, VVN processor 404 converts the data packets into a standardIP data packet having standard IP protocols. VVN processor 404 maintainsa network address for the VVN module and when requested data packets arereceived from public network 403 via public network interface 406, VVNprocessor 404 identifies the VVN module and converts the public datapackets into to encapsulate the data packets and communicate the datapackets to only the VVN module. In this manner, a visitor accessingprivate LAN 407 may access public network 403 through VVN gateway 400.

FIG. 5 illustrates a flow diagram of a method of processing data packetsusing a virtual visitor network module according to one embodiment ofthe invention. The method may be employed within a program ofinstructions embodied within a computer readable medium, a memorydevice, encoded logic, or other devices, modules or systems operable touse a portion or all of the method illustrated in FIG. 5.

The method begins generally when a virtual visitor module, such asmodule VVN module 202 illustrated in FIG. 2, VVN module 300 illustratedin FIG. 3A, VVN module 310 illustrated in FIG. 3B, or any other type ofmodule operable to provide a virtual visitor network for enabling avisitor's computer system to access a public network from within aprivate LAN is connected to the private LAN. Data packets may bereceived from a visitor computer system (step 500) or from a VVN gateway(step 514). At 500, a visitor computer transmits a data packet having anIP header and data to VVN module. VVN module receives a visitor's datapacket 500 and processes IP header 501 of the data packet and replacesthe source address with VVN module address assigned by a network server.For example, if a visitor's IP address is ‘192.16.1.1’and VVN moduleaddress is ‘20.1.10.1’, VVN module's address would be provided insteadof the visitor's IP address within the IP header.

Upon processing the IP header at 501, the visitor's data packetincluding the IP header and the data may be processed according to a VVNprotocol 502. For example, a VVN protocol may include scrambling theinformation or data, or applying a security protocol, to make the datacontained within the data packet meaningless to other network nodes,hosts, locations, etc. within a private network. At step 503, VVN modulethen encapsulates the visitor's packet by adding a VVN header toindicate the method used in processing the visitor's packet and thenadds a VVN IP header to indicate the VVN gateway address to direct thepackets to VVN gateway. Packets are then communicated to the VVN gateway504.

At step 514, when a data packet is received from VVN gateway 514 andoperable to be processed by a VVN module, VVN module removes the VVP IPheader and VVN header from the packet 513 from the data packet andprocesses the data packet 512 ac cording to information specified in theVVN header 512. For example, a data packet may be processed using a VVNprotocol and may include de-scrambling the information or data, orapplying a security protocol to restore data packets processed by VVNgateway. The IP header is then processed 511 by replacing thedestination address to include the visitor's IP address 511 and thencommunicates the data packet to the visitor computer 510.

FIG. 6 illustrates a functional block diagram for encapsulating visitordata packets within a private local area network according to oneembodiment of the invention. A public network accessible by a privatelocal area network (LAN) incorporating a virtual visitor network (VVN)is generally illustrated at 600 and includes a visitor's computer orvisitor 601 having an Internet Protocol (IP) address of “192.168.1.10”is coupled to a virtual visitor network (VVN) module 602 having an IPaddress of “10.2.1.20” and virtual visitor network (VVN) gateway 603having an IP address of “10.2.1.15” within a private local area network(LAN) 604. VVN gateway also has a public IP address such as 69.84.100.1.IP addresses within the private LAN 604 are assigned internally and maynot be visible from the public network 605. A website 606 having apublic IP address of “69.104.84.226” may be accessed using a publicnetwork 605 such as the Internet coupled to VVN gateway 603. A visitorIP data packet 611 is communicated between visitor 601 and VVN module602 as illustrated at “A”. Similarly, a VVN data packet 614 iscommunicated between VVN module 602 and VVN gateway 603 as illustratedat “B”. An IP data packet 619 is communicated between VVN gateway 603and website 606 as illustrated at “C”.

During operation, a visitor may access a public network 605 via aprivate LAN 604 through coupling a computer system at 601 having an IPaddress of “192.168.1.10” to VVN module 602. An visitor data packet 611communicated at “A” from visitor 601 contains a source (Src)address=192.168.1.10 identifying the assigned IP address of thevisitor's computer system and a destination (Dst) address=69.104.84.226identifying web site 606 requested by the visitor. VVN module 602detects a connection (either wireless or wire line) and translates thesource IP address of visitor data packet 611 to include a new IPaddress, such as VVN gateway 603's IP address of “10.2.1.20”. Forexample, VVN module 602 includes a network address translator and VVNprocessor (not expressly shown) that changes, converts, or appendsvisitor data packet 611's IP header 612 to include a VVN IP header 615having a source (Src) IP address of “10.2.1.20” and a destination (Dst)address of “10.2.1.15”. IP header 617 is modified to include a source(Src) IP address of “10.2.1.20” and a destination (Dst) address of“69.104.84.226”. Said another way, source data for visitor data packetsare replaced with an IP address of a valid VVN module such as VVN module602 (e.g. “10.2.1.20”) and destination data for visitor data packets arereplaced with an IP address of VVN gateway 603 (e.g. “10.2. 1.15”). Inthis manner, visitor data packets are confined between VVN gateway 603and VVN module 602 employing a VVN protocol that isolates visitor datapackets 611 when communicated within private LAN 604 using a VVNprotocol while retaining original source and destination information forvisitor 601.

An exemplary VVN data packet 614 may include processing the visitor datapacket 611 to include a VVN protocol having a VVN header 616 and a VVNIP header 615. One or more values may be provided within VVN header 616to indicate a method or type of modification used to process visitordata packets 611. For example, a simple rearrangement of bits or dataencryption methods may be used for processing visitor data packets 611originating from visitor 601. When VVN gateway 603 receives VVN packet614, it removes VVN IP header 615 and processes VVN packets 614 based oninformation stored within VVN header 616. For example, a decryption orother bit deciphering process may be used to restore the data packets todetermine destination data to create IP data packet 619.

In one embodiment, VVN gateway 603 may include more than one IP addressfor use in communicating data packets. For example, VVN gateway 603 mayinclude an IP address for internal routing within private LAN 604 (e.g.“10.2.1.15”) and an IP address communicating data via public network 605(e.g. “69.84.100.1”). As illustrated above, VVN gateway 603 replaces VVNdata packet 614 to include an IP header with having VVN gateway 603'sown IP address resulting in IP data packet 619. When IP data packets arereturned from website 606, VVN gateway 603 and VVN module 602 usedstored information maintained by VVN gateway 603 and VVN module 602 inassociation with a NAT to send a reply or return data packets to visitor601. Processing of IP data packets 619 returned from website 606 aremodified in a reverse sequence to return data to visitor 601.

In one embodiment, a visitor data packet 611 may be processed by VVNmodule 602 to include only a VVN IP header 615 without including anyadditional information within VVN header 616. In this manner, noadditional processing, other then removing VVN IP header, will berequired. In another embodiment, VVN header 616 may not be provided as apart of visitor data packet 611 and as such no additional processingwould be required when visitor data packet 611 is communicated to VVNgateway 603 or returned to VVN module 602.

In one embodiment, processing visitor data packets 611 using a VVNprotocol provided by VVN module 602 and VVN gateway 603 renders thevisitor data packets 611 useless when communicated to an un-intendeddevice within private LAN 604. For example, VVN gateway 603 and VVNmodule 602 may be the only devices within private LAN 604 havingknowledge of a VVN protocol used and other devices or systems connectedto private LAN 604 may not be able to restore VVN packets 614. As such,devices or systems within private LAN 604 may discard or ignore VVNpackets 614 when received. In this manner, visitor data packets 611 thatoriginate from a visitor's system are communicated by visitor 601 andprocessed by VVN module 602 to generate VVN packets 614 which cannotcause security concerns within private LAN 604. Similarly, IP datapackets 619 that are returned from public network 605 are processed byVVN gateway 603 to produced VVN packets 614 that can only be consumed byVVN module 602 provided within private LAN 604.

In one embodiment, a security protocol such as IPsec, secure socketlayer (SSL), may be used in combination with a VVN protocol. Forexample, a secure socket layer (SSL) protocol may be used prior to orafter processing data packets based on a VVN protocol provided by VVNmodule 602 and/or VVN gateway 603. Through providing a security protocolor SSL between VVN module 602 and VVN gateway 603, VVN packets 614 areconfined to within a SSL-enabled channel established between VVN gateway603 and VVN module 602.

In another embodiment, VVN gateway 603 and VVN module 602 may use eithera dynamic IP addresses or a static IP addresses. For example, a DHCPserver (not expressly shown) provided as a part of private LAN 604 mayassign a dynamic address to VVN gateway 603 and/or VVN module 602. ADHCP server works in association with a client computer and enablesindividual computers on a network to obtain their configurations from aDHCP server. DHCP allows a network administrator to supervise anddistribute IP addresses from a central server (not expressly shown) thatautomatically sends a new IP address when a computer is connected toprivate LAN 604. For example, when VVN module 602 is initialized, VVNmodule 602 registers with VVN gateway 603 and VVN module 602 and VVNgateway 603 both agree on one or more processing methods or protocolsfor processing VVN packets 614 to be communicated within private LAN604.

FIG. 7 illustrates a functional block diagram of network traffic withina private local area network having an access point for a visitor and anemployee according to one embodiment of the invention. A wirelessnetwork access point (AP) illustrated generally at 701 includes anembedded virtual visitor network (VVN) module 702 having a DHCP server703, a network address translator (NAT) 704, a router 706 and a VVNprocessor 705. Communication with a visitor's or employee's computersystem is provided using a wireless transceiver 708 operable tocommunicate using an 802.11-based protocol. Other wireless transceiversand protocols may also be used. Ethernet interface 707 providescommunication to/from a private LAN (not expressly shown).

During use, network traffic 711 includes both VVN packets 709 andemployee packets 710 communicated through using embedded VVN module 702.For example, a user may select from one or more Service SetIdentification (SSID's) transmitted by wireless transceiver 708 forwireless access point 701. In one form, an employee network SSID may bebroadcast by wireless transceiver 708 and an employee may enter a validpassword to access an employee network within private LAN (not expresslyshown). Similarly, wireless transceiver 708 may broadcast a visitor SSIDallowing a visitor to connect to wireless access point 701 using avisitor SSID. VVN module 702 having NAT 704 and router 706 may thendetermine the source of a data packet (either employee or visitor)received by wireless transceiver 708 and process based on the SSID auser connects (either employee or visitor) to wireless access point 701accordingly. For example, all data packets communicated the visitor SSIDwould be processed by VVN processor 705 to create VVN packets 709 thatmay be communicated within network traffic 711 of a private LAN. Forexample, dotted lines illustrated in FIG. 7 generally indicate datapackets originating from a visitor are processed using VVN module 702and provided within network traffic 711 using Ethernet interface 707.Additionally, data packets originating from an SSID for an employee aregenerally illustrated as employee packets 710 as a solid line traversingthrough VVN module 702 via wireless transceiver 708 and Ethernetinterface 707 and included within network traffic 711. Employee packets710 traverse through wireless access point 701 without having to beprocessed by VVN processor 705 to generate VVN packets 709

FIG. 8 illustrates a functional block diagram of network for providingvisitors and employees access to a public network using a wireless localarea network according to one embodiment of the invention. A privatelocal area network employing a wireless access point, illustratedgenerally at 800, includes a wireless access point 803 having anembedded virtual visitor network module and operable to communicativelycouple one or more visitor systems 801 and/or employee systems 802 to aprivate local area net work (LAN) 805. Private LAN 805 further includesa network printer 808, server 809 and other types of network nodes.Firewall and network address translator (NAT) 807 are coupled to privateLAN 805 and provide access to a public network 810 such as the Internet.Virtual visitor network (VVN) gateway 806 works in association withwireless access point 803 to provide a virtual visitor network (VVN)804.

During use, visitors may connect computers via wireless access point 803which may be a 802.11-enabled wireless access point employing ServiceSet Identification (SSID). SSID is a 32-character alphanumeric keyuniquely identifying a wireless access point such as wireless accesspoint 803. In one embodiment, wireless access point 803 may use two ormore SSIDs to distinguish visitors from employees, valid users, etc. Forexample, one of the SSIDs may be labeled “VisitorNet” to allow visitorsto connect to wireless access point. Similarly, another SSID may belabeled “EmployeeNet” to enable employees to connect to wireless accesspoint 803.

When connecting to wireless access point 803 for the first time, avisitor will need to establish an SSID with a label of “VisitorNet” toaccess wireless access point 803. An employee may be required to enteruse a secret key or Wired Equivalent Privacy WEP to access the“EmployeeNet” provided by wireless access point 803. Other securityfeatures for either visitors or employees may also be employed and the“EmployeeNet” usually requires additional validation of a system priorto allowing connection to wireless access point 803 as an employee. Inthis manner, if a visitor tries to access the “EmployeeNet”, wirelessaccess point 803 will deny access if a visitor does not have validaccess. In one embodiment, a machine access code (MAC) address foremployee's system may be used to allow a user to access wireless accesspoint 803. For example, wireless access point 803 may resolve a MACaddress of a computer system attempting to connect to “EmployeeNet” anddetermine if the MAC address is a valid MAC address for an employee. Ifan invalid MAC address attempting to access “EmployeeNet” is identified(e.g., a visitor), wireless access point 803 will deny access.

FIG. 9 illustrates a functional block diagram of a network employingwire line and wireless virtual visitor access points incorporated withinan Ethernet based private local area network according to one embodimentof the invention. A network, illustrated generally at 900, includes anEthernet—based private local area network 904 connecting several networknodes including a first workstation 910, second workstation 911, andthird workstation 909 which may include desktop computing systems,laptop computing systems, or any other type of system that may beconnected to an Ethernet-based network. Network printer 906, server 907and other types of network nodes are also connected and accessible viaprivate LAN 904. Network 900 further includes a firewall and virtualprivate network gateway 903. Server 907 may be a Domain Name Server(DNS), DHCP server, Enterprise Server, network storage or data server,or any other type of server.

Private LAN 904 further includes a virtual visitor network switch 913configured as a switch and connectable to virtual visitor network (VVN)gateway 902 operable to establish a first virtual visitor network (VVN)905 within private LAN 904 and a virtual visitor network hub 914configured as a hub and connectable to (VVN) gateway 902 and operable toestablish a second virtual visitor network (VVN) 912. A network hub orswitch may be employed wherein a network hub is a device with sharedbandwidth for all users and a network switch provides full bandwidth toindividual user coupled to private LAN 904. For example, virtual visitornetwork switch 913 and/or virtual visitor network hub 914 may beconfigured to support various communication data rates such as 10Mbytes/Second, 100 Mbytes/Second, 1 GBytes/Second, etc.

Virtual visitor network switch 913 allows for wire line access of afirst visitor computer system 906 and second visitor computer system907. A visitor printer 908 is also coupled to virtual visitor networkswitch 913 and allows first visitor computer system 906 and secondvisitor computer system 907 to print documents without having to accessprivate LAN 904. Virtual visitor network switch 913 may include logic toprovide a print server however other embodiments may include utilizing anetwork nodes such as a print server located within private LAN 904. Forexample, virtual visitor network switch 913 may establish a VVN betweenVVN module 913 and a network printer 906.

Network 900 further allows visitors to access private LAN 904 usingvirtual visitor network hub 914 operable to provide a wireless-enablednetwork such as an 802.11-based network to connect a firstwireless-enabled visitor computer system 916 and second wireless-enabledvisitor computer system 915. Virtual visitor network hub 914 is providedin association with virtual visitor network server 902 and provides avisitor wire less access to private LAN 904 through second virtualvisitor network 912.

During operation, first VVN 905 and second VVN 912 protect enterprisenetwork or private LAN 904 from visitors by confining and directingpackets between a visitor's computer system to a public network 901through use of first VVN 905 and second VVN 912. A visitor may connecttheir computer to a virtual visitor network switch 913 or virtualvisitor network hub 914 to access the Internet or public network 901.First VVN 905 and second VVN 912 establish a virtual tunnel between VVNgateway 902 and VVN switch 913 and VVN Hub 914. VVN gateway 902 may havea direct connection to public network 901 (e.g., Internet) or anindirect connection through a security device such as VPN/Firewall 903as shown in FIG. 8. In one embodiment, VVN gateway 902 may be providedas an integral part of VPN/Firewall 903, NAT, etc.

First VVN 905 and second VVN 912 provide several advantages overconventional networks and allow for a simplified visitor accessnetworking solution without having to add an additional private networksto an enterprise network for visitors which may require InformationTechnology (IT) managers to manage providing visitors access within anexiting enterprise network. For example, network managers will not berequired to assign special network outlets or dedicate network ports ina switch, router, wall outlets, etc. for visitors. Such configurationsmay not guarantee protection of an enterprise network from hackingvisitors. Additionally, network outlets are not easily movable and wouldneed to be verified to insure that no visitor is accessing theenterprise network directly.

Additionally, VVN switch 913 and/or VVN hub 914 may be provided invarious colors, such as bright yellow, red, etc., to be visuallyidentifiable by a visitor. In one embodiment, VVN switch 913 and/or VVNhub 914 may be provided as modular device that may be connected to anynetwork outlet within private LAN 904. For example, IT managers canprovide a visitor a modular device incorporating VVN switch 913 and avisitor can simply plug or connect VVN switch 913 to any availablenetwork outlet within private LAN 904 allowing VVN switch 913 to beeasily transferred as needed to various rooms, offices, conferencerooms, etc. having network connections or ports for private LAN 904. Inthis manner, when a visitor connects a computer, such as first visitorcomputer system 906, to modular VVN switch 913, VVN gateway 902identifies VVN switch 913, and monitors and controls VVN switch 913connected to a network outlet of private LAN 904. In this manner, VVNswitch 913 and VVN gateway 902 confine a visitor's packets (notexpressly shown) and prevent visitors from accessing other locations,devices, nodes, etc. within private LAN 904.

FIG. 10 illustrates a flow diagram of a method for processing datapackets using a virtual visitor network gateway according to oneembodiment of the invention. The method may be employed within a programof instructions embodied within a computer readable medium, a memorydevice, encoded logic, or other devices, modules or systems operable touse a portion or all of the method illustrated in FIG. 10. The methodmay be employed by VVN gateway 208 illustrated in FIG. 2, VVN gateway400 illustrate in FIG. 4, VNS 1300 illustrated in FIG. 13, or any othersystem operable to employ the method illustrated in FIG. 10.

Data packets may be received from a within a private LAN (step 1100) orfrom a public network (step 1114). At step 1100, data packets arereceived from a VVN module located within a private LAN and the VVN IPheader and VVN header of the data packet are removed 1101. The VVNpacket is processed 1102 using a specification provided within the VVNheader. Such processing results in providing the same data packetcommunicated by a visitor system and processed by a VVN module (notexpressly shown). The IP header is processed 1103 by replacing thesource IP address (i.e. VVN module's IP address) with the VVN gateway'sIP address 1103. Data packets are then communicated to a public networkdestination address 1104.

At step 1114, a data packet is received by a VVN gateway from a publicnetwork source and the data packet is processed 1113 by modifying the IPheader by replacing the destination address (e.g. VVN gateway) with theVVN module's address. The IP header and data received from a source inthe public network are processed 1112 which may include processing toadd a security feature or scrambling the data contents of the datapacket. At step 1111, a VVN header is provided to indicate the method ofprocessing used at step 1112 and a VVN IP header including a destinationof address of the VVN module is also provided. Upon adding the VVNheader and VVN IP header, data packets are then communicated to the VVNmodule 1110.

FIG. 11 illustrates a functional block diagram of an enterprise networkincorporating a virtual visitor network employing a wireless privatelocal area network according to one embodiment of the invention. Anenterprise network, illustrated generally at 1100, may be coupled to apublic network 1115 such as the Internet through a LAN gateway 1102employing a firewall and/or virtual private network. Enterprise network1100 further includes a virtual visitor network (VVN) gateway 1103coupled to LAN gateway 1102 and provided in association with a wirelessvirtual visitor network (VVN) switch 1105 and wireless virtual visitornetwork (VVN) hub 1110 operable to provide one or more visitors accessto public network 1115. For example, first visitor computer system 1108and second visitor computer system 1109 may be connected to wireless VVNswitch 1105 using wire-line connections. Additionally, third visitorcomputer system 1111 and fourth visitor computer system 1112 may bewirelessly connected to wireless VVN hub 1110.

During operation, wireless access point 1104 communicates with each802.11b enabled device operable to provide access to private LAN 1101via a wireless communications. For example, first computer system 1107and second computer system 1107 may be employee systems and may includeembedded 802.11b communication devices operable to communicate withaccess point wireless 1104 provided as a part of private LAN 1101.Wireless VVN hub 1110 does not include physical ports for visitors andmay easily support many visitors relative to wireless VVN switch 1105having only wire-line connectivity. Wireless VVN switch 1105 andwireless VVN Hub 1110 may be wirelessly connected to private LAN 1101via wireless access point 1104. Private LAN 1101 may be anEthernet-based network however other communication mediums andprotocols, such as fiber, ATM, and the like may also be employed.Private LAN 1101 further connects an enterprise server 1114, networkprinter 1113 and other network nodes pro viding users access to datastorage, applications, etc.

Wireless devices illustrated in FIG. 11 may be provided as localwireless area network devices or systems that may operate using an802.11x wireless standard where x=a, g, or b. Additionally, wireless VVNswitch 1105 may be provided as a client-based hub communication as an802.11b enabled station coupled to wireless access point 1104. As such,wireless access point 1104 need not contain a VVN module to connectcommunicate data packets within a virtual visitor network. For example,a VVN network may be established between wireless VVN switch 1105 andVVN gateway 1103 or wireless VVN hub 1110 and VVN gateway 1103,respectively. Wireless VVN Hub 1110 and wireless VVN switch 1105 arewirelessly coupled to wireless access point 1104 and may be configuredto communicate using a different channels to avoid interference and/orconflicts. For example, a wireless private LAN 1117 may be provided viawireless access point 1104 through enabling channel one (1) to allowfirst employee computer system 1106, second valid computer system 1107,and wireless VVN switch 1105 and wireless VVN hub 1110 to connect towireless private LAN 1117. If a visitor attempts to directly accesswireless access point 1104 within private wireless LAN 1117 usingchannel one (1), wireless access point 1104 will reject the visitor asnot being a registered or valid user. Additionally, when wireless VVNhub 1110 is accessing wireless access point 1104 via channel 1, wirelessVVN hub 1110 uses a different channel, e.g., channel 6, to communicatewith visitor computers 1111 and 1112.

Enterprise network 1100 may also employ various types, configurations,and/or combinations of VVN hubs. For example, enterprise network 1100may employ a wire-line only connection to private LAN 1101 for visitorsas illustrated, for example, in FIG. 3. Additionally, enterprise network1100 may employ a wire-line connection to private LAN 1101 and wirelessconnection for visitors to private LAN 1101 as illustrated in FIG. 9.Other embodiments may include providing a wireless connection to privateLAN 1101 and wire-line connection for visitors to private LAN 1101 asillustrated by wireless VVN hub 1105. Enterprise network 1100 may alsoemploy a wireless connection for both visitors and valid users oremployees as illustrated in FIG. 8. As such, various combinations andlevels of wireless and wire-line access to public network 1115 viaprivate LAN 1101 may be provided within enterprise network 1100 whileensuring network integrity, security, and efficient access are provided.

In one embodiment, VVN modules may be communicatively coupled allowingvisitors systems to communicate with each other. For example, VVNgateway 1103 may manage users connected wireless VVN hub 1110 and/orwireless VVN switch 1105 and may allow multiple users to have accesseach others system. In this manner, multiple visitors from the samecompany may be able to communicate within enterprise network 1100thereby providing a private visitor LAN between visitors.

FIG. 12 illustrates a functional block diagram of a virtual networkgateway operable to provide a virtual private network and a virtualvisitor network within a private local area network according to oneembodiment of the invention. An enterprise network, illustratedgenerally at 1200, allows for users to access a private LAN 1202 fromboth a public network 1203 and from within private LAN 1202. Enterprisenetwork 1200 includes a virtual private network (VPN) client 1213operable to be coupled to a VPN server 1204 which may be providedinternal or external to a virtual network server (VNS) 1201. Enterprisenetwork 1200 further includes a virtual visitor network (VVN) module1206 operably connected to a virtual visitor network (VVN) gateway 1205which may be provided internal or external to VNS 1201. Private LAN 1202further includes a local area network based on Ethernet 1208 operable toconnect multiple nodes such as first LAN node 1209 and a second LAN node1210. VVN module 1206 may also be connected to private LAN 1202 viaEthernet 1208.

During operation, enterprise network 1200 may protect employeesaccessing private LAN 1202 from VPN client 1213 when accessed via publicnetwork 1203. VPN server 1204 serves as a gateway that is locatedbetween private LAN 1202 and public network 1203. A virtualcommunication tunnel or VPN tunnel 1215 is created using encryption toexchange data packets between VPN client 1213 and VPN server 1204.Through establishing a VPN tunnel 1215, network attacks that originatefrom public network 1203 are obviated and VPN data packets may becommunicated securely within private LAN 1202. Enterprise network 1203further includes a VVN tunnel 1216 created to protect private LAN 1202from network attacks that may originate from inside VVN tunnel 1216established between VVN gateway 1205 and VVN module 1206. VVN datapackets are confined to VVN tunnel 1216 and as such attacks that mayoriginate from within a VVN tunnel 1216 are confined to VVN gateway 1205and VVN module 1206 and cannot escape VVN tunnel 1216. VPN tunnel 1215and VVN tunnel 1216 are virtual networks which do not exist as physicalentity in the physical network

FIG. 13 illustrates a functional block diagram of a virtual networkserver for use in association with providing a visitor access to apublic network from within a virtual private network enabled privatelocal area network according to one embodiment of the invention. Avirtual network server (VNS) is illustrated generally at 1300 andincludes several modules and components including a network addresstranslator 1305, a router 1302, and a firewall 1301. VNS 1300 furtherincludes a virtual private network (VPN) server 1303 and a virtualvisitor network (VVN) gateway 1304. VPN server 1303 and VVN gateway 1304provide access between private local area network (LAN) 1308 and apublic network 1307 and may be used within an enterprise network (notexpressly shown). In some embodiments, VNS 1300 may only include VVNgateway 1304 and/or VPN server 1303 however in other embodiments VNS1300 may include each functional module or component illustrated. Insome embodiments, other forms of protection may also be providedincluding a DHCP server, intrusion detection modules, servers orsoftware provided as a part of, or in association with, VNS 1300.

VNS 1300 is a comprehensive security device that provides supportservices for a business protects private LAN 1308 from intruders frompublic network 1307, manages privacy within private LAN 1308, andprotects private LAN 1308 while providing visitors and authorized usersto access to public network 1307 from within the same networkenvironment. During operation, a visitor may access private LAN 1308 viaa visitor access point within private LAN 1308. Network addresstranslator 1305 and router 1302 resolve network traffic communicatedfrom private LAN 1308 and determine header information and route trafficbased on header and other information provided. For example, a datapacket may include a destination or source address informationcommunicated from a virtual visitor network module or hub (not expresslyshown) and may be resolved by NAT 1305 and provided to VVN gateway 1304for processing. VVN gateway 1304 may extract a destination or websitebeing requested within public network 1307 and any other processinginformation, and process data packets using processing information torestore data packets prior to forwarding to public network 1307 therebyallowing a visitor to access a public network from within private LAN1308. When data packets are returned from public network 1307, VNS 1300determines the computer system requesting the data (i.e. employee,visitor, etc.) and processes the data packets if required.

In some embodiments, VVn gateway or VNS 1300 may include a VVNmanagement application (not expressly shown) for managing or monitoringa visitor network(s) provided within private LAN 1308. For example, aVVN management application may be used to change, alter, or configure avirtual visitor network, add and delete VVN features, modify accessrights for a VVN, create a VVN status report, create a VVN public accessreport, manage VVN modules, manage software versions, etc. For example,a VVN management application may keep track of usage within a VVN,monitor for intrusions, and provide alarm notifications when suspiciousactivities are detected, communicate software upgrades to VVN modules,etc. The VVN management function may be an integral part of VNS 1300 ormay be provided as a part of a network server within private LAN 1308.

FIG. 14 illustrates a functional block diagram of a virtual visitornetwork incorporated within a multi-protocol label switching enabledlocal area network according to one embodiment of the invention. AMulti-Protocol Label Switching (MPLS) enabled LAN, illustrated generallyat 1400, includes a virtual visitor network (VVN) module 1404 which maybe used to connect first visitor computer system 1405, second visitorcomputer system 1406, and/or third computer system 1407 to an enterprisenetwork employing a private LAN. VVN module 1404 is connected to avirtual visitor network (VVN) gateway 1402 using MPLS enabled LAN 1400.MPLS communication protocol confines data packets between VVN gateway1402 and VVN module 1404. MPLS is an Internet Engineering Task Force(IETF) standard that utilizes label switching to forward data packetsthrough MPLS enabled network 1400. A label is a small identifier placedwithin a data packet and inserted at an ingress router or a second labeledge router (LER 2) 1408 and removed at an egress router or first labeledge router (LER 1) 1410. A first label switching router (LSR 1) 1409,second label switching router (LSR 2) 1411, and third label switchingrouter (LSR 3) 1403 communicate data packets between second label router(LER 2) 1408 and first label edge router (LER 1) 1410. For example, anLSR is a router provided within an MPLS network that participates inestablishing Label Switched Paths (LSPs) using an appropriate labelswitching. A LER is a device that operates at the edge of network beingaccessed and interfaces an MPLS network. LERs support multiple ports andforward network traffic through a MPLS enabled network afterestablishing LSPs. LERs are used to assign and remove labels as datapackets enter or exit an MPLS network.

During operation, as data packets transition through MPLS enablednetwork 1400, label tables, or a Label Information Base (LIB) isconsulted by each component, LER 2 1408, LER 1 1410, LSR1 1409, LSR 21411, and LSR 3 1403. For example, an inbound reference maintained byLIB is determined and an outbound interface, communication path orlabel-switching path (LSP), and outbound label are determined. A LSPincludes a sequence of labels that identifies each node or LSR along acommunication or transmission path from a source to a destination. AnLSP is established either prior to data packets being transmitted orupon detection of a certain flow of data.

VVN module 1404 may be connected to LER 2 1408 and VVN gateway 1402 maybe connected to VVN gateway 1402 using LER 1 1410. LER 2 1408 mayestablish an LSP for VVN module 1404 to send data packets to VVN gateway1402. Similarly, LER1 1410 may set up an LSP for VVN gateway 1402 tosend data packets to VVN module 1404. As such, an LSP for sending datapackets to VVN gateway 1402 from VVN module 1404 may be different froman LSP for sending data packets from VVN gateway 1402 to VVN module1404. In this manner, all data packets coming from VVN module 1404 arerouted to VVN gateway 1402 within MPLS network and all data packets fromVVN gateway 1402 are directed to VVN module 1404 via MPLS enabledprivate LAN 1400. As such, MPLS enabled private LAN 1400 escorts datapackets or ensures a specific destination for visitor data packets maybe achieved.

In some embodiments, LER 1 1410 may be incorporated within or providedas a part of VVN gateway 1402. Similarly, LER 2 1408 may be incorporatedwithin or provided as a part of VVN module 1404. In this manner, VVNmodule 1404 and VVN gateway 1402 may establish an LSP for data packets.For example, when data packets are delivered from VVN module 1404 to VVNgateway 1402, VVN module 1404 may generate labels for data packets to bemaintained with an LIB and VVN gateway 1402 may delete labels from theLIB when data packets are received. Likewise, when data packets arecommunicated from VVN gateway 1402 to VVN module 1404, VVN gateway 1402may create labels within an LIB and VVN module 1404 may remove labelsfrom the LIB. In this manner, one or more portions of an MSLP networkmay be provided as a part of a virtual visitor network to allow avisitor to access a public network from within a private network withoutcompromising security of an enterprise network.

FIG. 15 illustrates a functional block diagram of a single point virtualvisitor network module operable to provide a visitor access to a publicnetwork from within a private local area network according to oneembodiment of the invention. A private local area network (LAN),illustrated generally at 1500, includes a local area network Ethernetaccess point 1501, operable to provide access to a visitor computer 1503using a single port VVN module 1502 operable to be coupled to LANEthernet 1501. Single port VVN module 1502 may be implemented to allow asingle individual to access private LAN 1500 and may be provided as astandalone module or as an accessory that may be provided as a part of,or incorporated within, visitor computer 1503. For example, as astandalone module or device, VVN module 1502 may use an AC adapter forpower and single port VVN module 1502 may include only two communicationports (not expressly shown). One port connects to LAN Ethernet 1501 anda second port to connect to visit or computer 1503. As such, only asingle user may connect to single port VVN module and access LANEthernet 1501.

During use, information or data packets communicated from visitorcomputer 1 503 may be processed to ensure that a virtual visitor networkis maintained within LAN Ethernet 1501. Single Port VVN module 1502 maywell suited for use within a hotel room or a multiple residentialcommunity where single port VVN module 1502 may be located as apermanent device within a specific room.

In another embodiment, single port VVN module 1502 may be a UniversalSerial Bus (USB) enabled device that is powered by visitor computer 1503when plugged into a USB port of visitor computer 1503. For example, avisitor may plug-in USB enabled single port VVN module 1502 into a USBport of visitor computer 1503. A network cable such as an RJ-45 cableprovided in association with, or integrated as a part of, USB enabledsingle port VVN module 1502 may be coupled to a wall outlet of LANEthernet 1501. In this manner, single port VVN module 1502 maycommunicate with a VVN server (not expressly shown) without tetheringusers together to a multi-port VVN module thereby allowing visitorsmobility within an enterprise premise and enabling visitors to use anyLAN outlet within private LAN 1500.

Note that although an embodiment of the invention has been shown anddescribed in detail herein, along with certain variants thereof, manyother varied embodiments that incorporate the teachings of the inventionmay be easily constructed by those skilled in the art. Benefits, otheradvantages, and solutions to problems have been described above withregard to specific embodiments. However, the benefits, advantages,solutions to problems, and any element(s) that may cause any benefit,advantage, or solution to occur or become more pronounced are not to beconstrued as a critical, required, or essential feature or element ofany or all the claims. Accordingly, the invention is not intended to belimited to the specific form set forth herein, but on the contrary, itis intended to cover such alternatives, modifications, and equivalents,as can be reasonably included within the spirit and scope of theinvention.

1-33. (canceled)
 34. A system for escorting packets from a source deviceto a destination device in a private network comprising: a processor;memory in electronic communication with the processor; and instructionsstored in the memory, the instructions being executable to: receive apacket from the source device; encapsulate the packet from the sourcedevice with a first header and a second header, wherein the first headerindicates an encryption method, and wherein the second header includesrouting information.
 35. The system of claim 34, wherein the encryptionmethod indicated by the first header comprises proprietary encryption.36. The system of claim 34, wherein the encryption method indicated bythe first header comprises IPsec.
 37. The system of claim 34, whereinthe first header comprises an identifier that indicates no encryptionmethod is used.
 38. The system of claim 34, wherein the second headercomprises a source address and a destination address, and wherein thesource address is the source device address, and wherein the destinationaddress is the destination device address.
 39. The system of claim 34,wherein the source device is allowing a visitor access to a publicnetwork.
 40. A method for escorting packets from a source device to adestination device in a private network comprising: receiving a packetfrom the source device; encapsulating the packet from the source devicewith a first header and a second header, wherein the first headerindicates an encryption method, and wherein the second header includesrouting information.
 41. The method of claim 40, wherein the encryptionmethod indicated by the first header comprises proprietary encryption.42. The method of claim 40, wherein the encryption method indicated bythe first header comprises IPsec.
 43. The method of claim 40, whereinthe first header comprises an identifier that indicates no encryptionmethod is used.
 44. The method of claim 40, wherein the second headercomprises a source address and a destination address, and wherein thesource address is the source device address, and wherein the destinationaddress is the destination device address.
 45. The method of claim 40,wherein the source device is allowing a visitor access to a publicnetwork.
 46. A network for escorting packets from a source device to adestination device comprising: an access point to provide access to thenetwork; a processor; memory in electronic communication with theprocessor; and instructions stored in the memory, the instructions beingexecutable to: receive a packet from the source device; encapsulate thepacket from the source device with a first header and a second header,wherein the first header indicates an encryption method, and wherein thesecond header includes routing information
 47. The network of claim 46,wherein the encryption method indicated by the first header comprisesproprietary encryption.
 48. The network of claim 46, wherein theencryption method indicated by the first header comprises IPsec.
 49. Thenetwork of claim 46, wherein the first header comprises an identifierthat indicates no encryption method is used.
 50. The network of claim46, wherein the second header comprises a source address and adestination address, and wherein the source address is the source deviceaddress, and wherein the destination address is the destination deviceaddress.
 51. The network of claim 46, wherein the source device isallowing a visitor access to a public network.